The next evolution in Office365 phishing campaigns

-

 

It comes as no surprise that Office365 is one of the most targeted services for phishing attacks worldwide. Credentials for enterprise Microsoft accounts are some of the most valuable for threat actors who can leverage them for a number of activities with this initial access vector. This ranges from stealing emails, business email compromise (BEC), to internal spear-phishing and malware attacks.

The latest wave of Office365 credential harvesting attacks involve multiple steps. This includes the phishing email itself, a malicious URL, a legitimate document hosting service (such as *.clickfunnels[.]com or *.larksuite[.]com), and the fake login page. These kits are also known as a "LogoKit" for being able to dynamically alter the page's appearance based on the domain in the target's email address. 

Demo of how this works: https://app.any.run/tasks/e59d36ba-5a2c-49e3-8b59-8044bf593689/

(Fig. 1 - Current phishing chain leveraged in this campaign from January to February 2021)

This campaign typically leverages free domains using multiple gTLDs - namely .tk, .gq, .ml, .ga, and .cf - and hosts them on NameCheap servers (AS22612).

(Fig. 2 - Analysis of the infrastructure behind the high number of Office365 landing pages)

Fortunately, the ZIP archive of the phishing kit used in this campaign was located, sitting in an open directory. Analysis of the PHP and JavaScript behind this phishing kit revealed how the data is being collected and exfiltrated:

(Fig. 3 - Analysis of the phishing kit's code)

A number of details were left in the phishing kit which enabled me to pivot, using OSINT techniques, to the threat actor's profiles online. This is likely either the threat actor who is stealing the credentials for illegal gains or the individual who coded the phishing kit. 

(Fig. 4 - The OSINT trail I used to connect to phishing kit to the threat actor)

From investigating open sources, other security researchers have run into this threat actor in the past. They have been actively running phishing campaigns for over a year. (1, 2, 3

Threat Intelligence:

Next, it is possible to track this campaign via open source tools. The phisher uses a number of TTPs which we can use to monitor for signs of this campaign. Although, by disclosing the threat actor's techniques it may force them to change their tactics but, by doing so, it incurrs costs to the adversary.

The URLscan assets we can use to track this campaign:

Legitimate services leveraged to host malicious documents:
  • *.larksuite[.]com
  • *.clickfunnels[.]com
Indicators of Compromise (IOCs):
Call to action:

These types of phishing campaigns are one of the most persistant threats on the current threat landscape. They are unlikely to dissappear anytime soon. Hosting providers and registrars continue to permit cybercriminals to create hundreds of domains that are only for one thing - stealing credentials. Until hosting providers clear up their act, these credential phishing campaigns will continue.

In the meantime, organisations are highly recommended to implement multi-factor authentication (MFA) to prevent threat actors from logging in with stolen credentials. Further, organisations should monitor for successful login attempts from unrecognised IP or MAC addresses, as well as enforcing a comprehensive password policy - which includes changing passwords in a given time period (60 days is the recommended amount).

I would also like to give thanks to @n14 from @CuratedIntel who shared the initial landing page which led me down this rabbit hole. Collaborating on security research and sharing actionable intelligence is key to success amongst us CTI analysts.

My previous blogs on phishing are as follows:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more